The gist: Organizations frequently fail at NIS2 implementation due to lacking governance structures, insufficient risk assessment, unprepared incident reporting processes, and poor supply chain controls.
Computer Weekly documents five key challenges that organizations overlook or mishandle when implementing the NIS2 Directive. Compliance officers should be aware of these pitfalls to sharpen their implementation projects.
The EU’s NIS2 Directive on network and information security imposes significant requirements on organizations and critical infrastructure. Particularly complex areas such as governance, risk assessment, incident reporting, and supply chain management create implementation uncertainties.
A significant stumbling block exists in inadequate governance structures: Many organizations fail to establish clear accountability at C-level or inadequately separate cybersecurity from generic IT management. Additionally, organizations frequently underestimate the effort required for documented risk assessment and continuous review of their risk landscape.
Another core problem: The incident reporting system is not adequately prepared. Many organizations do not understand their exact reporting obligations to authorities, define thresholds unclearly, or lack the technical and procedural prerequisites for fast, structured reporting.
Supply chain security is also frequently underestimated. Organizations do not conduct systematic security assessments of their suppliers and service providers or fail to enforce contractual clauses consistently. Furthermore, the current shortage of cybersecurity professionals complicates recruitment or development of internal capacity for ongoing compliance.
Source: news.google.com · Published July 5, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.